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Insecure Apps & 
APIs are a Problem Web Applications are 


Being Targeted 


> Most common data breach pattern * 


Your business depends on web 
applications > Top hacking vector * 


Any app or API can be a foothold into 


you ro rga N | zatio n U.S. Postal Service (API).......... 


Developers are not incentivized for MyFitnessPal (AP 
security Equifax. 


Cloud-based apps are easy for Ashley Madison 
developers to deploy 
* Source: 2018 Verizon DBIR 


Apps & APIs are 


Everywhere 


Public-Facing 
Web Apps 


Internal Web Apps 


BUB 
Wwsamazon © 
Rf webservices 


Google Cloud Platform 


Microsoft 
Azure 


Apps in Public Clouds 


(e) 


REST APIs 


New Apps 
under Development 
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Web Application Scanning 


Review 


Qualys Web Application Scanning 


À leading dynamic application security 
testing (DAST) tool so 


₪ a | IV ore 0 \/ | a ו‎ h a Q úa ly S $ | OU 0 Dowd הסאה‎ Só: Daisies, שה‎ Canin. Seales 


[E] Web Application Management 


Platform J 


Or Address FQDN » * Port NetBIOS Status. 
T sis A ES E E 10102820 246-2620 pach ad win qa quay com m) aon 
entifies app-layer vulnerabilities 2 eg oe 
Rogue E 10102621 2k3esp 1-26-21 8080 — 2K3ESP1-26-21 Approve 
© Ignored C 10102621 2xSesp1-26-21 8000 2K3ESP1-26-21 


E In Subscription 
OWASP Top 10 — — — 


W 1010212 D oc DE 300 — 2K3R2-9P1-2281T 


Creation Date E oro2ene -- הטב וט‎ 
( \W E S 6 E] 10402050 ke a arcos 
= | : 
Last Update Date E 10.102585 | Mamas... New aagaieem so ASPIRE 
. Comet | Rogue 
E 10102568 | Asa To Subscription Approved (Ra us com dj 2K3SP1-P-25-85 
Web-related CVEs ST M == 


Preview 


http://2k3r2-sp1-32bit.vuln.qa.qualys.com:8080 


IP address: 10 10.24 112, FODN. 213/2-Sp1-3204 vuln qa qualys com 


Undated by | 23 Aug 2017 3040M GUT-0600 | (CE 


stem: Windows Server 2003 R2 Service Pack 1 


Systom 23 Aug 2017 
Web Application added from scan consolidated cata from VM 


Includes automated crawling 


Supports Selenium scripts \ ו‎ | 
Malware monitoring as a bonus 
(9 Qualys. 


Built for the Enterprise 


| © | \ 65 | (O) | | FE ) 
Web App Discovery Scheduled scans Massive scalability Robust API 
Unlimited scans & Ad-hoc, targeted Detection history CI/CD integration 
users scans Scheduled reports Unique integration 
RBAC Multi-site scans Customizable w/Qualys WAF 
Tagging Retest vulnerability 


reports 


Scan for malware Swagger support 


Integration with 


manual pen testing 
tools 
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What's New in Qualys WAS 


Scanning REST APIS Swagger is specification that 


o 


describes a set of REST APIs 


Swagger file typically 
available from dev team 


Set Swagger file as target 
LINE URL in Qualys WAS 


swagger.io 


API endpoints are 


4% OPENAPI automatically tested for 


vulnerabilities 


https:// 
www.openapis.or 


Swagger v2 JSON format 


currently supported 
Q Qualys 


Jenkins Plugin for WAS 


Jenkins 


plica 


Snippet Generator 
Step Reference 

Global Variables Reference 
Online Documentation 


IntelliJ IDEA GDSL 


Pipelin: 


Syntax 


Overview 


This Snippet Generator will help you leam the Pipeline ich can be used t 
interested in from the list, configure it, click Generate Pipeline Script, and you will s 

step with that configuration. You may copy and p: je whole statement into your scrip 
tional and can be omitted in your script, leaving them at default values 


Sample Step 


qualysWASScan: Qualys WAS Plugin for Jenkins 


Qualys 


API Login 


Provide details for accessing the Qualys Container Security API. 


API Server URL: 


https://qualysapi.qualys.com 


Example: https:l/qualysapi 


API Username: 


API Password: 


O Use Proxy Settings 


quays aa12 


Connection test successful 


dmin | log out 


o define various steps. Pick a step you are 
a Pipeline Script statement that would call the 
or pick up just the options you care about 


Test Connection 


Manual Testing Complements WAS 


Dynamic application testing is one piece of the AppSec 
puzzle 


Manual penetration testing important for your business- 
critical apps 


Qualys WAS offers: 
Bugcrowd integration 
Burp Suite integration 


Partnerships with consulting shops 
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Bi-directional Integration with 
Bugcrowd 


bugcrowd 


V 7 
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Qualys WAS Burp Extension 


₪ = © 


Burp Suite Web Application Scanning 


À quick, intuitive way to send Burp-discovered issues into 
WAS 


Provides centralized viewing/reporting of WAS detections + 
Burp Issues 


Available in Burp's BApp Store 
(9 Quaiys. 


Qualys WAS Burp extension 


ו 
Burp Project Intruder Repeater Window Help‏ 


| Dashboard | Target | Proxy | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Qualys WAS | Attack Surface Detector 


[Extensions | Bapp'Store | APIs | Options | 


The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities. 


Name Installed | Rating Popularity | Lastupdated | Detail 


[a] Qualys‏ הת 


PeopleSoft Token Extractor 11 Jan 2018 

PHP Object Injection Check 01Jun2018 Pro extension The Qualys WAS Burp extension provides a way to easily push Burp scanner findings to the Web 

Postman Integration 18 Sep 2018 Application Scanning (WAS) module within the Qualys Cloud Platform. As a Qualys WAS customer, you 

Protobuf Decoder 20 Apr 2017 can then view and report Burp issues alongside WAS findings for a more complete picture of your web 

Proxy Action Rules 12 Jan 2018 application's security posture. 

Proxy Auto Config 24 Oct 2018 To leam more about Qualys WAS, its integration with Burp, and the additional security and compliance 
28 Jun 2018 Solutions available in the Qualys Cloud Platform, please visit 

Python Scripter 28 Sep 2017 

Qualys WAS 06 Aug 2018 Pro extension 

Random IP Address Header 01 Jul 2014 


Reflected File Download C. 24 Jan 2017 
Reflected Parameters 10 Nov 2014 @ Qualys WAS subscription, including API 


Requirements: 


© Burp Suite Professional 1.7 or later 


Reissue Request Scripter 23 Dec 2016 
Replicator 15 Feb 2018 
Report To Elastic Search 10May2017 Pro extension e Straightforward setup and usage 
Request Highlighter 23 Jul 2018 
Request Minimizer 25 Jun 2018 
Request Randomizer 24 Jan 2017 Selected Burp scanner finding(s) exported to Qualys WAS via context menu 
Request Timer 08 Nov 2017 
Response Clusterei 06 Feb 2017 
Retire js 29 Jun2018 Pro extension Option to purge or close existing Burp issues in WAS 
Reverse Proxy Detector 13 Feb 2017 
Same Origin Method Execu 26 Jan 2017 u 
SAML Editor 01 Jul 2014 Usage: 
SAML Encoder / Decoder 01 Jul 2014 
SAML Raider 04 Nov 2016 1. Add the extension to your instance of Burp Suite Professional by installing directly from the 
SAMLReQuest 06 Feb 2017 BApp Store" tab within Burp or by loading the jar file from the Extensions tab. 

Scan Check Builder 300ct2018 Pro extension 
Scan manual insertion point 24 May 2017 


Features: 


= Supports all Qualys shared platforms as well as private cloud platforms 


Upstream proxy server settings in Burp are honored automatically 


Written in Java 


2, Inthe “Qualys WAS" tab, select the appropriate Qualys platform for your subscription and enter 
your Qualys username & password. 


| Refresh list | | Manual install 


WAS Enhancements, YTD 


Sept 2018 : 
April 2018 June 2018 Browser engine 2018 : 2 
Swagger SST] upgrade : 
Jenkins plugin Header injection XSS Power Mode 
Qualys Browser WebLogic RCE Tag apps upon import 
Recorder RichFaces RCE ESI injection 
Test Authentication "Spring Break" WebSocket detection 
Exclude darameters PrimeFdces RCE 
Jan 2018 May 2018 July 2018 Oct 2018 
CMS vulns Added CSV v2 Burp extension Blueimp file upload 
Multi-scan alerts report Results for cancelled scans Telerik crypto flaw 
Update QID Add'l CMS vulns Improved scan status 
mappings to 2017 Scan settings snapshot 
OWASP Top 10 Retest multiple findings 
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Qualys WAS Roadmap 


Feb-Mar 2019 
: TLS 13 support 
2018 : 2019 SSL/TLS detections 
: Out-of-band detections 
Security header tests 
Enhanced crawling 
CyberArk PIM integration 


Dec 2018 : Jan 2019 Q2-Q3 2019 
Blind XPATH injection : Custom scan Elasticsearch 
Improved KB search : intensity New dashboard 
Custom report footer : Jenkins plugin v2 Ul modernization 
Burp & Bugcrowd findings added to : Support OpenAPI v3 
report Support Postman 
Ignore finding time limit Collections 


“Launch Now” for scheduled report 
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And Coming in 2019 
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API Security Remi Le Mer (quays.s158) 


Video Tutorials 


Get started with these quick steps 


Related Community Posts 


Tweets 


© a 


Watch 9 short Reporting Strategies and Best 
Pract 
Qualys data 


Web Application Firewall 


Review 


Qualys WAF 


Integration with WAS 
Architecture improvements 
Integration with Docker 
Security Improvements 
Roadmap - standalone 
Roadmap - Integrated Suite 


Dashboard - All Web Applications A Vi Roplications [Lat 30 
Nom 08 Oct 2018 Wed 07 Nov 2018 :האש‎ | ₪ w ₪ 


Event Summary Events Traffic Origins 


um S 
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WAS / WAF Integration: ScanTrus 


Scanlrust : Challenge your WAF protection 
Assess both the application and the policy that protects it 


agement Detection List Burp Bugcrowd 
-demo.qualys.com X ₪3 [ Status QID Name Group * LastDetected Age Patch Severity 
a Filter Results (ALTA [7] Protected x © Blind SQL Injection dei ₪ ₪ ₪ ₪ 
http://wat-demo.qualys.com/bodgeit/login jsp 
Confirmed Vulnerability Level 
[E] Protected 012 © Blind SQL Injection NENNEN 
1020304 5 Htip:iwat-demo.qualys.combodgeltfiogin Jep. 
Potential Vulnerability Level [ Protected 150001 © Reflected Cross-Site Scripting (XSS) Vulnerabilities EBENEN 
waf-demo qu eit/search jsp 
10203 04 5 
F Protected x © Browser-Specific Cross-Site Scripting Vulnerabilities E ו‎ ₪ ₪ ₪4 
Sensitive Content Level hitp:/waf-demo.qualys.convbodgeit/search jsp 
102030405 [1 Fixed 001 @ Reflected Cross-Site Scripting (XSS) Vulnerabilities ES 15 WIN 
http://waf-demo.q ys.com/search.jsp 
Information Gathered Level E : 
[Y] New 150001 © Reflected Cross-Site Scripting (XSS) Vulnerabilities DATES 716 dt ₪ ₪ ₪ ₪ 
dm; wid nm jm http/waf-demo. qualys.com/search jsp View | 
Status Ignore 
New 
AE Install Patch 
Re-Opened 
[] Protected Edit Severity 
Fixed 
Group External References 


WAS / WAF Integration: Virtual Patch 


Virtual Patch : One-click mitigation tool for CISO teams 
Run from within WAS to address confirmed threats 


We'll automatically add a virtual patch rule to your WAF to block exploitation of the selected vulnerability on your web application. You can 
easily remove the virtual patch (and rule) at any time either here or from the WAF management interface. 


j Status Patch Severity 

: View Detection ₪ ₪ 

New Patch Details האוגה‎ 
9 
New When request.header.content-type MATCH ".*\%.*\{.*multipart/form-data$" ₪3 du ₪ 
"REI can. — 
2 De 

וח ₪ מ מ New‏ 


3 (request header] Content-Type DETECT 150173 
DEM RR MATCH admis mias 
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What's New in Qualys WAF 


Supported 
PI a t fo rm S Select Virtual Appliance Image E 


Choose the virtualization platform you want to use to run your WAF appliance on. 


Platform Details 


© ig VMware Standard VMware virtualization platform 


Shared and Private 


O am Hyper-V Microsoft Hyper-V 5.1 virtualization platform 
Qualys Cloud Platforms - 
O E [E Amazon EC2 Amazon EC2-Classic, Amazon EC2-VPC 
O VAN Microsoft Azure Microsoft Azure platform 


Google Cloud platform 


Docker platform 


Cancel Previous | 
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WAF Architecture Improvements 


Easy and Usable Architecture 


Virtual Reverse-Proxy 


Cluster-able within hybrid topologies e © © (© © © 
Load-Balancing capabilities 


Sol ls cipher suite cardo res 
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WAF Architecture Improvements 


Virtual Appliance & Container (v1.5.3) 


XML/JSON content inspection 


Docker Host integration for backend automation 


Better performance doc ker 


Scheduled upgrades 


Orchestration via Qualys API 


© Qualys. 


Docker Single Host 


docker CLI! „| Access to docker services 
-ההההההההההההה-=‎ via unix sockets 


docker‏ שש 


Controls : 
- containers (start | stop | delete | inspect) 


- networks ‘=| Stores images 


- images (pull | push | delete) 


” Contaiher | 


/ Container ^ | ( Container \ 
| 
#2 #2 


Continuous Security 


| 
| 
| 
| Qualys. 
| 
| 


| 
| 
| 
| 
| 
| 
| 
] Web App 
A B J 


NA ג‎ ud NA 


| | 
| | 
| | 
| | 
| | 
| | 
"Web App | 
| 

\ 
Docker network 


Physical network 


| ו‎ © Qualys. 


M u It | le H 0 st 5 ccess to docker services 
D ocker OL BA A 0 ? via een 
Ea 


Ie 


Container 
#1 


© 


Web App 
0 


Physical network | | Physical network | | Physical network 


Security Improvements 


Custom Rules: write and manage your own filters 
XML/JSON inspection 
Virtual Patches and Event Exceptions 
Latency control 
Rewriting capabilities (headers) 


Qualys Rulesets and Templates 
DAG based inspection, programmable logic 
Drupal 8.0.x, Joomla 3.4.x, Magento 2.5-2.6, Wordpress 4.2.x-4.3.x 
JBoss 4 x-7 x, OWA 2010-207, Sharepoint 2010-2017, Tomcat 80x 
Qualys Generics for unknown apps 
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Qualys WAF Roadmap 


WAF Roadmap - Standalone 


2018 : 2019 Mar 2019 Q3 2019 
: Templates Appliance empowered 
API Generics, Microsoft with 
ADFS, JD Edwards Network Clustering 
Dec 2018 : Jan 2019 Q2 2019 Q4 2019 
New Custom Rules keys : Appliance Major Release Customizable Dashboard Traffic Management 
+Community Library : (v1.6.0) Alert Reports ddos 
Revamped Security : TLSvI.3, HTTP/2, Improved RBAC ip-reputation 
Events : — Improved network Bots 
“management capabilities Scraping 


Enriched CLI and local 
events logs 
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WAF Roadmap - Integrated Suite 


2018 : 2019 
Mar 2019 Q3 2019 
WAS reports with Virtual Patch supports 
ScanTrust details Burp and Bug Bounties 
Dec 2018 : Jan 2019 Q2 2019 Q4 2019 
Al - Feed Application : UD - WAF widgets and App's Sitemap v2 CV - fetch app's 
inventory with backend + queries (WAS & WAF) grade and patch 
information : Sol 
: ScanTrust enabled on implementation 
VM 
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